Hi Rob,
On 20/04/2024 10:24, Rob Brewer wrote:
On Fri, 19 Apr 2024 15:39:39 +0200, Adolf Belka wrote:
- ALIENVAULT has not been updated since at least Nov 2022 but probably
earlier. There is no date for the file to be downloaded but a forum user has log messages from Nov 2022 that indicate the file had not changed as therefore no download occurred.
- AT&T aquired AlienVault in August 2018. Somewhere between 2018 and
2022 the list stopped getting updated. AlienVault references on the AT&T website are now for a different product.
- Discussed in IPFire conf call of April 2024 and agreed to remove the
ALIENVAULT blocklist.
- On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP
list. The eDROP list is still available but is now empty. Trying to select the SPAMHAUS_EDROP list gives an error message that the blocklist was found to be empty.
- This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists
from the ipblocklist sources file.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/ipblocklist/sources | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index be0cf0229..0835c0f9c 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -55,12 +55,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'ip-or-net-list', 'rate' => '12h', 'category' => 'reputation' },
'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended
Don't Route or Peer List",
'url' =>
'https://www.spamhaus.org/drop/edrop.txt',
'info' =>
'https://www.spamhaus.org/drop/',
'parser' => 'ip-or-net-list',
'rate' => '1h',
'category' => 'reputation' }, 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List', 'url' => 'https://www.dshield.org/
block.txt',
'info' => 'https://dshield.org/',
@@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'ip-or-net-list',, 'rate' => '1h', 'category' => 'application' },
'ALIENVAULT' => { 'name' => 'AlienVault IP
Reputation database',
'url' =>
'https://reputation.alienvault.com/reputation.generic',
'info' =>
'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-
reputation',
'parser' => 'ip-or-net-list',
'rate' => '1h',
'category' => 'reputation' }, 'BOGON' => { 'name' => 'Bogus address list (Martian)', 'url' => 'https://www.team-cymru.org/
Services/Bogons/bogon-bn-agg.txt',
It would appear that SPAMHAUS_EDROP has been merged into SPAMHAUS_DROP list.
That is correct. That is what I put in the commit message.
Spamhaus have the following page about the change.
https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edr...
"; This list has been merged into https://www.spamhaus.org/drop/drop.txt ; Spamhaus EDROP List 2024/04/19 - (c) 2024 The Spamhaus Project ; https://www.spamhaus.org/drop/edrop.txt ; Last-Modified: Fri, 19 Apr 2024 13:49:21 GMT ; Expires: Sat, 20 Apr 2024 13:49:21 GMT ; EOF
I think it would be better to change the URL in the sources list from:
https://www.spamhaus.org/drop/edrop.txt
to
https://www.spamhaus.org/drop/drop.txt
Rather than just remove the list from the sources file.
I don't really understand your suggestion here. The EDROP list has gone. The old URL is still there but with an empty file except for the message.
The Spamhaus Drop list is now the equivalent of what used to be the Spamhaus eDrop list.
Having two entries, one called DROP and one EDROP both pointing to the same list seems pointless to me and potentially confusing for users as they might think they get something different from the two and if they select both they will get two sets of exactly the same IP's.
What I can do is to make a modification to the script I added to the update.sh file to check if SPAMHAUS_EDROP=on is set in the settings file and then add SPAMHAUS_DROP=on to the settings file if it is not set, before removing the references to SPAMHAUS_EDROP.
Regards,
Adolf.
Rob Brewer
'info' => 'https://www.team-cymru.com/bogon-
reference',